Re: Linux server as it own firewall

From: Seth Arnold (sarnold@wirex.com)
Date: 09/13/01


Date: Thu, 13 Sep 2001 09:21:38 -0700
From: Seth Arnold <sarnold@wirex.com>
To: focus-linux@securityfocus.com
Subject: Re: Linux server as it own firewall
Message-ID: <20010913092138.A30987@wirex.com>

On Wed, Sep 12, 2001 at 01:25:21PM -0400, James Puckett wrote:
> I am considering having the firewall for a Linux server I am building
> running on the server itself using IPTables.

Every time someone mentions firewalls, I always think of a quote I heard
once: "Firewalls are a symptom of broken hosts". (Anyone who knows the
original source of this quote, please let me know privately. :)

Given the rise in services offered over http (SOAP et al :) firewalls
are beginning to be of even more dubious value. (And are partly the
cause of this problem .. by making everything except web traffic
difficult, product designers simply use web traffic. Now, "web traffic"
is much harder to seperate from other stuff, such as SOAP.)

In the end, I say, go ahead and run some firewall software on the host
offering the services. The value of this firewall will mostly come in
the form of dissallowing connections from strange addresses, and
dissallowing outgoing connections coming from strange addresses. (egress
filtering is very kind for the rest of the internet. :)

But don't expect the firewall software on the host to be some sort of
magic security bullet. Your web server (whatever :) is still going to be
listening to port 80, it is still going to answer for nearly everyone
that tries connecting, and if someone finds a buffer overflow in the web
server, it can still be compromised.